From 574ac507dace624e291d9bd83806b1b25c1a8e26 Mon Sep 17 00:00:00 2001
From: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
Date: Thu, 5 Dec 2024 01:33:31 -0500
Subject: [PATCH] Setting a secure umask value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As part of CIS 5.4.2.6:Ensure root user umask is configured,
We have set umask 027 in both /root/.bash_profile and /root/.bashrc,
which ensures that:
- New files created by the root user will have default permissions
  of 640
- New directories created by the root user will have permissions
  of 750

According to the control, setting umask 027 in these files is a
secure practice and meets the guideline for ensuring that root
user files and directories aren’t excessively permissive.

TestPlan
PASS: build-pkgs -c -p base-files-config
PASS: build-image
PASS: bootstrap
PASS: CIS benchmark SCAN
PASS: Verify umask value for root user
      - Log in as root or switch to root
      - Check the umask value by running command `umask`
      - The output/value should be : 0027
PASS: Verify permissions for a newly created file
      - As the root user, create a new file:
        `touch /root/testfile`
      - The output should show -rw-r----- (640 permissions)
PASS: Verify permissions for a newly created directory
      - As the root user, create a new directory:
        `mkdir /root/testdir`
      - The output should show drwxr-x--- (750 permissions)
PASS: Verify That umask persists across new sessions

Story: 2011295
Task: 51390

Change-Id: I4f50f0a8ea626ccefd1f8e958cb5032fdf362992
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
---
 .../deb_folder/base-files-config.install      |  1 +
 base-files-config/debian/deb_folder/rules     |  1 +
 base-files-config/source/umask.sh             | 34 +++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 base-files-config/source/umask.sh

diff --git a/base-files-config/debian/deb_folder/base-files-config.install b/base-files-config/debian/deb_folder/base-files-config.install
index 29b14f9..f87f30b 100644
--- a/base-files-config/debian/deb_folder/base-files-config.install
+++ b/base-files-config/debian/deb_folder/base-files-config.install
@@ -1,5 +1,6 @@
 etc/profile.d/custom.sh
 etc/profile.d/prompt.sh
+etc/profile.d/umask.sh
 etc/systemd/system/cron.service.d/cron-cpu-shares.conf
 etc/systemd/system/rsync.service.d/rsync-cpu-shares.conf
 etc/vim/vimrc.local
diff --git a/base-files-config/debian/deb_folder/rules b/base-files-config/debian/deb_folder/rules
index 239d240..acb892b 100644
--- a/base-files-config/debian/deb_folder/rules
+++ b/base-files-config/debian/deb_folder/rules
@@ -11,6 +11,7 @@ ROOT := $(CURDIR)/debian/tmp
 override_dh_install:
 	install -p -D -m 644 custom.sh             ${ROOT}/etc/profile.d/custom.sh
 	install -p -D -m 644 prompt.sh             ${ROOT}/etc/profile.d/prompt.sh
+	install -p -D -m 644 umask.sh              ${ROOT}/etc/profile.d/umask.sh
 	install -p -D -m 644 cron-cpu-shares.conf  ${ROOT}/etc/systemd/system/cron.service.d/cron-cpu-shares.conf
 	install -p -D -m 644 rsync-cpu-shares.conf ${ROOT}/etc/systemd/system/rsync.service.d/rsync-cpu-shares.conf
 	install -p -D -m 644 vimrc.local           ${ROOT}/etc/vim/vimrc.local
diff --git a/base-files-config/source/umask.sh b/base-files-config/source/umask.sh
new file mode 100644
index 0000000..ff37a30
--- /dev/null
+++ b/base-files-config/source/umask.sh
@@ -0,0 +1,34 @@
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+#!/bin/bash
+
+# Check if running as root and configure umask for root
+if [ "$(id -u)" -eq 0 ]; then
+    # Ensure /root/.bashrc exists and contains the umask setting
+    if [ ! -f /root/.bashrc ]; then
+        echo "umask 027" > /root/.bashrc
+        chmod 600 /root/.bashrc
+    elif ! grep -q "umask 027" /root/.bashrc; then
+        echo "umask 027" >> /root/.bashrc
+    fi
+
+    # Ensure /root/.bash_profile exists and contains the umask setting
+    if [ ! -f /root/.bash_profile ]; then
+        echo "umask 027" > /root/.bash_profile
+        chmod 600 /root/.bash_profile
+    elif ! grep -q "umask 027" /root/.bash_profile; then
+        echo "umask 027" >> /root/.bash_profile
+    fi
+
+    # Set permissions for both files
+    chmod 600 /root/.bashrc 2>/dev/null || {
+        logger -p user.err "ERROR: Failed to set permissions to 600 for /root/.bashrc"
+    }
+    chmod 600 /root/.bash_profile 2>/dev/null || {
+        logger -p user.err "ERROR: Failed to set permissions to 600 for /root/.bash_profile"
+    }
+fi